CVE-2024-27443

MEDIUMCISA KEV

6.1

Description

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header. An attacker can exploit this via an email message containing a crafted calendar header with an embedded XSS payload. When a victim views this message in the Zimbra webmail classic interface, the payload is executed in the context of the victim's session, potentially leading to execution of arbitrary JavaScript code.

CVE Details

CVSS v3.1 Score6.1

SeverityMEDIUM

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack VectorNETWORK

ComplexityLOW

Privileges RequiredNONE

User InteractionREQUIRED

Published8/12/2024

Last Modified10/31/2025

Sourcekev

Honeypot Sightings0

CISA KEV

VendorSynacor

ProductZimbra Collaboration Suite (ZCS)

Vulnerability NameSynacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability

KEV Date Added2025-05-19

Remediation Due Date2025-06-09

Ransomware UseUnknown

Affected Products

zimbra:collaboration

Weaknesses (CWE)

CWE-79CWE-79

References

https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.7#Security_Fixes(cve@mitre.org)

https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P39#Security_Fixes(cve@mitre.org)

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-27443(134c704f-9b21-4f2e-91b3-4a467353bcc0)

https://www.welivesecurity.com/en/eset-research/operation-roundpress/(134c704f-9b21-4f2e-91b3-4a467353bcc0)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.